Main section
For whom our On-Premises CLM works best
On-Premises CLM Architecture
-
Centralised management platform: single point of control for discovery, inventory, lifecycle, compliance and governance
-
Multi-module: connect multiple CAs and enrolment interfaces simultaneously with consistent policy enforcement
-
Profile-based model: central policy changes that don't disrupt consuming systems
-
Lightweight agents (Windows/Linux): discovery and end-to-end lifecycle actions on target systems; agents translate between CLM APIs and legacy protocols, provide centralised visibility and work offline
-
All capabilities via REST API, with RBAC enforced across UI, WebRA and API
-
Connectivity: supports both outbound (platform → your systems) and inbound (your systems → platform APIs). You manage firewall, allowlisting and routing
When On-Premises is the better fit
-
Choose On-Premises when security or compliance teams do not allow credentials, service accounts or automation paths to be managed from a cloud-hosted platform
-
Choose On-Premises when deep internal integrations, isolated network zones or direct access to internal production systems cannot be exposed via customer-side agents or connectors
-
On-Premises keeps the CLM platform, credentials and direct LDAP/AD, F5, ITSM and CMDB integrations inside your infrastructure
Smaller, public-certificate estates are usually better served by our Cloud model. Unsure? Use the deployment selector
How does the On-Premises CLM integrate into your infrastructure?
-
Load balancers / ADC / network: F5 BIG-IP (iControl REST, AS3), Citrix ADC (NetScaler), Fortinet FortiGate, Cloudflare
-
WAF / security: Ergon Airlock
-
DNS (provisioning & ACME DNS-01): EfficientIP, Infoblox, RFC 2136, AWS Route 53, Cloudflare, Azure DNS, Google Cloud DNS
-
PKI / CAs: Microsoft ADCS, Evertrust Stream, SwissSign, DigiCert, Entrust, Sectigo, ACME providers (e.g. Let's Encrypt), EJBCA
-
Containers: Kubernetes (cert-manager, secrets update, hot-reload), OpenShift
-
Cloud vaults: AWS Secrets Manager / ACM, Azure Key Vault, Google Cloud Certificate Manager
-
MDM: Microsoft Intune (SCEP & PKCS), Jamf Pro, MobileIron / Ivanti
-
DevOps: Ansible (full collection), Terraform (provider)
-
ITSM: ServiceNow (change-request workflow), Jira
-
SIEM / logging: Splunk, IBM QRadar
-
IdP: OIDC (Entra ID, Okta, Keycloak), SCIM v2
-
HSM / KMS: Thales, Securosys, Azure Key Vault
-
Directory: Microsoft AD, LDAP publishing
-
CBOM: import/export of Cryptography Bill of Materials
-
Automation protocols: ACME, EST, SCEP, WSTEP/MS WCCE, MDM, Intune, agents
How does the implementation work?
-
Many organisations implement our CLM on their own
-
We offer a range of services (via separate SOWs) to support you (onboarding, PKI integration support, workflow customisation, API integration, migration, discovery optimisation, training and workshops)
-
Organisations also chose to work with their trusted IT integrator
Ready to bring certificate automation inside your perimeter?
Shrinking certificate lifetimes and post-quantum migration demand automation, but regulated, deeply integrated estates need it on their own terms. Run SwissSign CLM inside your network, with credentials and data that never leave your infrastructure. Talk to our experts about your deployment, or start with an evaluation licence.
Frequently Asked Questions
Agents are designed to work offline and keep credentials inside your perimeter.
Yes; migration and PKI-consolidation workflows are supported via Professional Services.
Our CLM is built for large-scale estates: a standard deployment can manage up to around 200,000 certificates, while high-availability or distributed deployments can scale to tens of millions.




